We’re now one year on from the introduction of the General Data Protection Regulation (“GDPR”) and one of the consequences for our clients has been a significant rise in the number of data subject access requests (“DSARs”) made by employees. By making a DSAR, current and former employees can obtain all their “personal data” held by their employer. As personal data is information that relates to an identifiable individual, employers hold significant amounts of personal data about their staff.
DSARs are notoriously time-consuming to manage and, under the GDPR, the time period employers have to respond has been reduced to one month from the longer period of 40 days that applied under the old regime.
Given the increase in number of requests and the shorter period for a response we set out below 10 top tips to help employers if and when they receive a request:
1. Create a protocol so that your business can respond within one month
In today’s electronic world, employees generate significant amounts of material which is likely to contain their personal data and which will need to be collated, reviewed and processed before your business can respond to a DSAR. Doing all of this within the short deadline of one month can be difficult, so having an agreed protocol in place which outlines the steps you will take to respond to a DSAR can help save precious time. A protocol should include an allocation of responsibilities and the steps which must be taken to comply with a request.
Although it is possible in exceptional circumstances to notify the employee, within a month of receiving the DSAR, that you require three months to reply, the circumstances when an extension of time may be justified are rare. The exceptional circumstances apply to complex requests or to repeated requests from the same employee. However, these circumstances will apply rarely. Remember that your employee can challenge your decision to extend time to the ICO (Information Commissioner’s Office).
2. Train your staff
Your staff need to understand the importance of dealing promptly with DSARs. This will include who within your business should be notified once a DSAR is received and, if they are responsible for responding to the request, how it should be managed. Crucially relevant staff need to be trained on these points
3. Try to narrow the scope of the request
Often employees will be interested in very specific material when they submit a DSAR. For example, if they are participating in a grievance or disciplinary process or have recently had their employment terminated, there are likely to be particular documents they want to read. The scope of the request may be clear from the initial request. However, if it isn’t clear consider having a conversation with the person making the request about what they want and whether the request can be narrowed. Doing so should help to ensure you can respond within 30 days and only give the employee the personal data they really want. Of course this isn’t always possible.
4. Consider using a bespoke platform to manage the DSAR
It can be helpful to use bespoke electronic platforms to manage DSARs as these will often have specific functionality to assist with running searches, identifying relevant documents and carrying out redaction. This can be very useful particularly for larger DSARs, which can otherwise be very difficult to manage on an employer’s normal IT platform. Employers should discuss this with their IT provider and make sure that their systems are fit for purpose.
5. Use appropriate search terms and do a sample review before undertaking a full review
Once you know what you are looking for, consider using search terms to generate an initial set of results. This might be the employee’s name (or variations on it) plus key words and date ranges which are likely to generate personal data, taking account of the scope of the request. Once you have created an initial set of results, carry out a sample review to make sure that the results are largely relevant. Depending on the search that you’ve carried out, you might have generated a lot of false positives which could be removed by a further refinement to your search terms before you conduct a full review.
6 .Carry out a full review to ensure that the results contain personal data
Just because an individual’s name is mentioned in a document doesn’t necessarily mean that the document contains personal data. Make sure that you understand the test for personal data and apply it to your search results appropriately. Remember, personal data is information which relates to an identifiable individual.
7. Use the exemptions
When analysing the personal data, review the documents for those that are exempt from disclosure. You may need to take advice on this but the exemptions include references given or received, management forecasting or planning, information about negotiating intentions – perhaps in relation to a settlement agreement, third party information or information that may be subject to legal professional privilege.
8. Allow enough time for redaction
Once you have produced an initial set of results containing the employee’s personal data, you will need to review the material to see if anything needs to be redacted. In particular, you should ensure that any privileged material or personal data of other individuals is redacted before the response is sent to the employee.
9. Allow enough time to send the response
Depending on how the DSAR was submitted and the size of the response, you may need to provide a hard copy and/or electronic response. If you’re going to provide an electronic response, consider whether you will share the response on an electronic platform (and, if so, which one will you use) or whether you will email the response (in which case, ensure you have the right email address and that the attachments are small enough to be sent through any relevant firewalls).
10. Create an audit trail
If an employee is dissatisfied with the response they receive to a DSAR they may complain about it to the Information Commissioner or a court or tribunal. If they do so, it will be important that you can demonstrate the steps you took to respond to the DSAR so as to minimise the risk of sanctions being applied.